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DETAILED ACTION 

• Applicant's amendment filed on July 14, 2008 has been entered. Applicant has 
amended claims 1 and 21 ; canceled claim 22, 31-33 and added claims 34-45. 
Currently claims 1 , 2, 9, 21 , 27-30 and 34-45 are pending in this application. Any 
well known art statements made in the prior office action not argued by applicant 
is taken as admittance of prior art as per MPEP 21 44.03. 

• Examiner acknowledges receiving terminal disclaimer to overcome nonstatutory 
double patenting rejection for claims 1 , 2, 9, 21 and 28-30. The terminal 
disclaimer filed on August, 25, 2008 has been approved. As a result, the 
nonstatutory double patenting rejection is withdrawn. 



Priority 

1. This application is filed as a continuation in part (CIP) of application 1 0/1 1 3875. In 
order for claims in the CIP application (that is continuation-in-part of an earlier U.S. 
application) to receive the effective filing date of the parent application, claims in the 
new application must be supported by the specification and claims of the parent 
application. Examiner, in order to establish effective filling date for claims in this 
application, reviewed parent application 10/1 13875 and was not able to find full support 
for both independent claims 1 and 21 of this application in the parent application. For 
example claims 1 and 21 both requires with other limitations, "wherein when the 
verification service causes the web page object to have at least one of the first and 
second contents, the web page object appears invisible to the visitor after it is rendered 
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by the visitor's browser". Examiner was unable to find support for all these limitation in 
the parent application (10/1 13875). As a result, examiner asserts that all the 
independent claims receive the effective filing date of 09/29/2003 , which is a filing date 
of this application. Since the independent claims aren't fully supported by the parent 
application, dependent claims which incorporate all the limitations of independent claims 
also are not fully supported by the parent application. As a result, all the dependent 
claims also receive the effective filling date of 09/29/2003 . 

Response to Arguments 

2. Applicant's arguments with respect to claims 1 , 2, 9, 21 , and 27-30 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC §112 

3. The following is a quotation of the first paragraph of 35 U.S.C. 1 12: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

Claim 42 is rejected under 35 U.S.C. 112, first paragraph, as failing to comply 
with the written description requirement. The claim(s) contains subject matter which 
was not described in the specification in such a way as to reasonably convey to one 
skilled in the relevant art that the inventor(s), at the time the application was filed, had 
possession of the claimed invention. Claim 42 recite the following limitation: "wherein 
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the schedule is requested by the visitor". Examiner was unable to find support for this 
limitation in original disclosure. Correction/Clarification is required. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1, 2, 9, 21, 27-30, 35, 38-39, and 41-45 are rejected under 35 U.S.C. 103 
(a) as being unpatentable over Khaishgi et al. (US 6,658,394 B1 ), hereinafter "Khaishgi" 
in view of Guirquis (Guirguis, Ragi: "Network- and Host-Based Vulnerability 
Assessments: An Introduction to a Cost Effective and Easy to Use Strategy": GIAC 
Security Essentials (GSEC) Practical, Version 1.4b, Publication Data: June 14-. 2003), 
hereinafter "Guirguis" and further in view of Tiso (Tiso, John; "Automated Security 
Scanning": Svs Admin, Volume 9, Issue 10, Pages 73-78, Publication: October 2000), 
hereinafter, "Tiso" and further in view of Bunker, V et al. (US 2003/0028803), hereinafter 
"Bunker". 

Regarding Claims 1 and 21 Khaishgi discloses an apparatus and corresponding 
method for providing a security status of an on-line service, comprising: 

a web page object (Column 1, lines 26-28, "electronic seals") that is automatically 
rendered by a browser when a visitor uses the browser (Fig. 5, Numerals 52, 54, 56, 
and 58, and at Column 2, lines 34-44, "browser") to access one or more web pages of 
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the on-line service (Fig. 1, Numeral 4, "Merchant") via a public network (Fig. 1, Numeral 
12, "Network"); and 

a verification service (Fig. 2, Numeral 8, "Certification Service") that hosts the 
web page object (Fig. 2, Numeral 22, "Seal Servers") separately from the one or more 
web pages of the on-line service (Fig. 2, Numeral 4, Merchant's server(s) numeral 4 are 
separate from the "Seal servers 22" of "Certification Service", also refer to Column 3, 
lines 14-25), and further controls contents of the web page object (Column 3, lines 26- 
42), 

wherein the visitor is not required to take any action other then requesting access 
to the on-line service via the browser to receive the security status through the 
automatic rendering of the web page object by the visitor's browser (Column 2, lines 66- 
67 and Column 3, lines 1-2, "Merchants 4 post their corresponding electronic seals on 
their web sites or in electronic mail messages (emails) in order to increase the 
confidence of potential customers", Note: Since web-page of the merchant contains the 
link of the seal, the seal is generated and displayed on the web-page when client 
generates a request for a web-page from a merchant, client will only need to take 
further action (i.e. click on the seal) if client want "more information" about the seal and 
merchant, refer to Column 3,line 14-25) , and 

wherein the verification service causes the contents of the web page object to be 
changed in accordance with its prior determination of a level of the security status 
(Column 4, lines 60-67 and Column 5, lines 1-7, "When user 6 accesses a merchant 4, 
client device 10 is directed to retrieve a seal from seal servers 22. More specifically, 
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seal servers 22 receive a request from computing device 10 that includes a unique 
identifier for one of the merchants and, therefore, uniquely identifies one of the media 
objects within seal repository 25 (step 52). Seal servers 22 log the request by storing 
the IP address within request log 24 (step 54) and select the appropriate media object 
according to the unique identifier (step 56). "), such that when the verification service 
determines, in a first verification operation prior to the visitor's access request, that the 
on-line service has a first level of the security status, it causes the web page object to 
have first contents (Column 4, lines 60-67 and Column 5, lines 1-7, Seal server provide 
the electronic seal corresponding to the merchant to the client), and when the 
verification service determines, in a second verification operation prior to the visitor's 
access request, that the on-line service has a different second level of the security 
status (Column 4, lines 49-52, "Next, seal maintenance modules 27 periodically 
regenerate the media objects in order to update the embedded information including the 
expiration date (Step 48).") , it causes the web page object to have different security 
status levels via the browser's automatic rendering of the prior-determined and changed 
web page object contents when the visitor requests access to the on-line service 
(Column 4, lines 52-54, "For example, a new set of media object can be generated daily 
in order to facilitate detection of expired seals"), and 

wherein the first and second verification operations to determine the on-line 
service's security status and control the contents of the web page object are performed 
by the verification service prior to and completely independently from the visitor's 
request to access the on-line service, and independently from any action by the visitor 
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and visitor's browser (Column 4, lines 28-57, Note: Both the seal generation and 
maintenance are done by certification service and these steps are done completely 
independently from the visitor's request to access the on-line service, i.e. visitor's 
request to access the on-line service does not trigger initial seal request operation from 
merchant (fig. 3) or the maintenance which can be done daily) , and 

wherein when the verification service causes the web page object to have at 
least one of the first and second contents, the web page object appears invisible to the 
visitor after it is rendered by the visitor's browser (Column 4, lines 54-57, "In one 
configuration, seal issuer 8 generated a media object having a transparent image when 
the corresponding merchant 4 loses its certification status, In this manner, the seal 
"disappears" from the merchant web site"). 

Khaishgi discloses changing the seal in response to detecting expiration of the seal 
(Column 4, lines 54-57). Khaishgi does not explicitly disclose: 

wherein the levels of the security status displayed for the visitor via the automatic 
rendering of the web page object indicate how vulnerable devices and services of the 
on-line service are to hackers and other online security threats as determined by the 
first and second verification operations; wherein at least one of the first and second 
verification operations includes scanning the on-line service from a remote address on 
the network and wherein the scanning produces a set of XML files including information 
about open ports, available service, network protocols, security exposures and 
vulnerabilities associated with a device providing the on-line service and wherein a scan 
header record associated with the scanning is stored in a database. 
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Guirguis discloses a system (nessus engine) which detects how vulnerable 
devices and services of the on-line service are to hackers and other online security 
threats as determined by a verification operation (see, Page 2, 2nd Paragraph, 
"Vulnerability assessments identify and suggest fixes for possible vulnerabilities that 
attackers might exploit in operating systems or in mail, HTTP, and FTP servers.") and 
wherein at least one of the first and second verification operations includes scanning the 
on-line service from a remote address on the network (See Page 5, Section 3.1 .3) and 
wherein the scanning produces a set of XML files including information about open 
ports, available service, network protocols, security exposures and vulnerabilities 
associated with a device providing the on-line service (see, Page 2, 2 nd paragraph and 
Page 6, Section 3.1 .4) wherein a scan header record associated with the scanning is 
stored in a database (see, Page 6, 2 nd Paragraph). 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to scan the online services of Khaishgi from a remote location 
for vulnerabilities as taught by Guirguis because "performing VAs on company systems 
provide three key pieces of information necessary for improving their security: 1) it is 
easier to locate which systems are vulnerable, 2) it identifies what services/components 
are vulnerable, and 3) it suggests the best method for repairing the vulnerabilities (i.e. - 
it recommends which patch or software version should be used/applied). Performing 
this procedure on a regular basis allows IT professionals to find and repair possible 
security vulnerabilities before attackers find and exploit them." (See, page 2, 2 nd 
paragraph). 
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The combination of Khaishgi and Guirguis further discloses the scan header 
record including a number of vulnerabilities classified by severity level (see, Guirguis, 
Page 6, 1st paragraph). 

The combination of Khaishgi and Guirguis does not explicitly disclose the scan 
header record including a date, launch time, and duration. 

However, Tiso discloses generating a scan report including date, launch time and 
duration (see, Page 74, Table 1). 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to add, in the scan report of the combination of Khaishgi and 
Guirguis, data launch time and duration of the scan as taught by Tiso so that reviewer of 
the report can simply look at the summery to get some overview about the scan results. 

The combination of Khaishgi, Guirguis and Tiso does not disclose wherein at 
least one of the first and second verification operations include determining the security 
status by comparing a fingerprint of a new vulnerability to a stored list of the devices 
and services and without performing an actual scan or test of the devices and services. 

However, Bunker discloses determining the security status by comparing a 
fingerprint of a new vulnerability to a stored list of the devices and services and without 
performing an actual scan or test of the devices and services (paragraph 001 9 line 11- 
14, "The configuration of the new vulnerability may be compared to the customer's 
system network configuration in the last test for the customer. ") 

Therefore, It would have been obvious at the time the invention was made to one 
of ordinary skill in the art further modify the virus scanner of the combined system of 
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Khaishgi, Guirguis and Tiso to send alert based on information in the stored profile and 
newly received vulnerability information without requiring a new scan, as taught by 
Bunker so "only customers affected by the new security vulnerabilities may receive the 
alert" (paragraph 0020 lines 1-2) also this kind of configuration provides real time 
security alerts that warns operators to perform appropriate action when new newly 
received security vulnerability can potentially harm their system. 

Regarding Claims 2 and 27, rejections of claims 1 and 21 are incorporated the 
combination of Khaishgi, Guirguis, Tiso and Bunker further discloses wherein the on- 
line service comprises devices and services (Fig. 1, Numeral 4, representing web- 
servers of Merchant 4) and verification service determines the security status level of 
the on-line service (Column 2, lines 44-46, "Seal issuer 8 verifies the credentials, 
policies or business practices of each Merchant 4 and issues a corresponding seal of 
certification to each merchant 4 upon verification.") by evaluating vulnerability scan of 
the devices and services comprising the on-line service (see Guirguis, Page 6, Section 
3.1.4) 

Regarding Claims 9 and 28, rejections of claims 2 and 27 are incorporated and 
the combination of Khaishgi, Guirguis, Tiso and Bunker further discloses verification 
service periodically receives result of a new vulnerability scan of the devices and 
services comprising the on-line service and causes the contents of the web page object 
to be changed it a changed security status level is determined, thereby automatically 
providing the visitor with an updated security status (see Guirguis, Page 5, Section 
3.1 .3, and Khaishgi, Column 4, lines 49-57) 
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Regarding Claim 29, the rejection of claim 21 is incorporated and the 
combination of Khaishgi, Guirguis, Tiso and Bunker further discloses the web page 
object comprises an image and an associated URL (Column 3, lines 28-31, "Each 
media object contains media, such as image data, video data, and audio data, that 
merchant 4 presents as an electronic seal of certification." and also at Column 3, lines 
58-67, URL for the seal). 

Regarding Claim 30, the rejection of claim 21 is incorporated and the 
combination of Khaishgi, Guirguis, Tiso and Bunker further discloses the web page 
object comprises a graphical file whose contents are periodically updated in accordance 
with a periodically determined security status level (Column 3, lines 28-31, "Each media 
object contains media, such as image data, video data, and audio data, that merchant 4 
presents as an electronic seal of certification." and at Column 4, lines 49-57, "Next, seal 
maintenance modules 27 periodically regenerate the media objects in order to update 
the embedded information including the expiration date (step 48). For example, a new 
set of media objects can be generated daily in order to facilitate detection of expired 
seals.") 

Regarding Claim 35, the rejection of claim 1 is incorporated and the combination 
of Khaishgi, Guirguis, Tiso and Bunker further discloses wherein the scanning is 
performed using a scanning engine of the verification service (see, Guirguis, Page 5, 
section 3.1.2). 
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Regarding Claim 38, the rejection of claim 1 is incorporated and the combination 
of Khaishgi, Guirguis, Tiso, and Bunker further discloses wherein the visitor is allowed 
to log in and review interactive reports associated with the scanning (see, Khaishgi Fig. 
6 for user requesting the merchant information combined with Guirguis, Page 6, Section 
3.1.4). 

Regarding Claim 39, the rejection of claim 1 is incorporated and the combination 
of Khaishgi, Guirguis, Tiso and Bunker further discloses wherein the levels of security 
status displayed for the visitor includes a security meter (see, Khaishgi, Fig. 6 combined 
with Guirguis, Page 6, Section 3.1.4). 

Regarding Claims 41 and 42, the rejection of claim 1 is incorporated and the 
combination of Khaishgi, Guirguis, Tiso and Bunker further discloses wherein the 
scanning is performed according to a schedule and is requested by the visitor (see, 
Bunker, Paragraphs 0051-0052). 

Regarding Claim 43, the rejection of claim 1 is incorporated and the combination 
of Khaishgi, Guirguis, Tiso and Bunker further discloses wherein the information in the 
database is initialized manually (see, Khaishgi, Column 4, lines 32-34 describing 
manual registration process). 

Regarding Claim 44, the rejection of claim 43 is incorporated and the 
combination of Khaishgi, Guirguis, Tiso and Bunker further discloses wherein the 
information in the database is initialized automatically (see, Khaishgi, Column 4, lines 
32-34, describing automatic registration process). 
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Regarding Claim 45, the rejection of claim 1 is incorporated and the combination 
of Khaishgi, Guirguis, Tiso and Bunker further discloses wherein the scanning is 
performed on each device registered by the on-line service in the database (see, 
Bunker, Paragraphs 0052-0054). 

Claim 34 is rejected under 35 U.S.C. 103 (a) as being unpatentable over 
Khaishgi in view of Guirguis, Tiso, Bunker and further in view of Nessus Scan Report 
(retrieved from: 

http://web.archive.org/web/20001217231600/www.nessus.org/demo/report.txt, 
Publication: 2000), hereinafter "Nessus Scan Report". 

Regarding Claim 34, the rejection of claim 1 is incorporated and the combination 
of Khaishgi, Guirguis, Tiso and Bunker further discloses the database stores the 
information about the open ports on the device providing the online services (see Page 
6, 1st paragraph). 

The combination does not however explicitly discloses including in the report 
generic services expected to be running on the open ports, and actual services running 
on the open ports, including a Version and network message protocol associated with 
the actual services. 

However, Nessus Scan Report discloses a report that includes generic services 
expected to be running on the open ports, and actual services running on the open 
ports, including a Version and network message protocol associated with the actual 
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services (see, Nessus Scan Report, "Information found on port ftp (21/tcp) bonsai 
microsoft ftp service (version 4.0). 500 'get / http/1 .0': command not understood"). 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to add, in the scan report of the combined system of Khaishgi, 
Guirguis, Tiso and Bunker, information about generic services expected to be running 
on the open ports, and actual services running on the open ports, including a Version 
and network message protocol associated with the actual services so that the 
administrator of the web server can identify vulnerabilities within open ports and resolve 
them efficiently. 

Claims 36-37 are rejected under 35 U.S.C. 103 (a) as being unpatentable over 
Khaishgi in view of Guirguis, Tiso, Bunker and further in view of Blvth (Blvth, Andrew: 
"An XML-based architecture to perform data integration and data unification in 
vulnerability assessments", Information Security Technical Report, Volume 8, Issue 4, 
April 2003. Pages 14-25). hereinafter "Blvth". 

Regarding Claim 36, the rejection of claim 35 is incorporated and the 
combination of Khaishgi, Guirguis, Tiso and Bunker discloses generating XML reports 
however, the combination does not explicitly discloses wherein the scanning engine 
parses the set of XML files and stores records of the parsed set of XML files in the 
database in association with an account number of a provider of the online service. 

However, Blyth discloses scanning engine parses the set of XML files and stores 
records of the parsed set of XML files in the database in association with an account 
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number of a provider of the online service (see, Page 16, 1 st paragraph, Fig. 1 and also 
Fig. 6). 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to parse, the set of XML files produced by the combination of 
Khaishgi, Guirguis, Tiso and Bunker, in the database as taught by Blyth so that "large 
quantities of security-related information can be captured within a single database 
schema" (see, Blyth, Abstract). 

Regarding Claim 37, the rejection of claim 36 is incorporated and the 
combination of Khaishgi, Guirguis, Tiso, Bunker and Blyth further discloses the records 
include a detail record for each positive test result associated with the scanning (see, 
Blyth, Fig. 11). 

Claim 40 is rejected under 35 U.S.C. 103 (a) as being unpatentable over 
Khaishgi in view of Guirguis, Tiso, Bunker and further in view of Nvanchama et al. (US 
2003/0154269 A1 ). hereinafter "Nvanchama". 

Regarding Claim 40, the rejection of claim 1 is incorporated and the combination 
of Khaishgi, Guirguis, Tiso, and Bunker does not explicitly disclose wherein the levels of 
the security Status displayed for the visitor include an overall numeric rating. 

However, Nyanchama et al. (US 2003/0154269 A1) discloses displaying the 
levels of security status that include an overall numeric rating (see Paragraph 0031). 

Therefore, it would have been obvious at the time the invention was made to one 
of ordinary skill in the art to include, in the security status report of the combined system 
of Khaishgi, Guirguis, Tiso and Bunker, an overall numeric rating as taught by 
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Nyanchama because that provides "automated assessment and quantification of, or 
security risks associated with, the vulnerabilities of computer network" (see, 
Nyanchama, Paragraph 0001). 

Conclusion 

5. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to YOGESH PALIWAL whose telephone number is 
(571)270-1807. The examiner can normally be reached on M-F: 7:30 AM - 5:00 PM 
EST. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571 ) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Y. P.I 

Examiner, Art Unit 2435 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2431 



